PHOENIX CONTACT: Security Advisory for multiple Industrial Controllers (Update A)

Phoenix Contact Classic Line industrial controllers (ILC1x0 and ILC1x1 product families as well as the AXIOLINE controllers AXC1050 and AXC3050) are developed and designed for the use in closed industrial networks. The communication protocols used for device management and configuration do not feature authentication measures.

Update A, 2022-06-21

This updated version contains additional affected products.
In addition, a new application note for classic line controllers had been published to make it easier for our customers to find out the actions how to disable the unauthorized communication ports instead of checking out each controller’s manual.


CVE-2019-9201: 9.8

Auma: SIMA² Master Station Denial of Service Vulnerability on Automation Runtime Webserver

Improper buffer restrictions in the webserver used in SIMA² Master Station software versions < V 2.6 may allow an unauthenticated network-based attacker to stop the cyclic program on the device and cause a denial of service.


CVE-2021-22275: 8.6

Endress+Hauser: Multiple products utilizing vulnerable WIBU-SYSTEMS CodeMeter components

For detailed information please refer to WIBU SYSTEMS original Advisories at https://wibu.com/support/security-advisories.html.


CVE-2021-20093: 9.1
CVE-2021-22901: 8.1
CVE-2021-20094: 7.5
CVE-2020-8286: 7.5
CVE-2021-41057: 7.1
CVE-2021-41184: 6.1
CVE-2021-41182: 6.1
CVE-2021-41183: 6.1

Pepperl+Fuchs: RSM-EX devices - Multiple Bluetooth vulnerabilities

Critical vulnerabilities have been discovered in the utilized Bluetooth component.
For more information see: https://kb.cert.org/vuls/id/799380


CVE-2020-26559: 8.8
CVE-2020-26560: 8.1
CVE-2020-26557: 7.5
CVE-2020-26556: 7.5
CVE-2020-26555: 5.4
CVE-2020-26558: 4.2

PHOENIX CONTACT: Multiple vulnerabilities in RAD-ISM-900-EN-BD devices

Multiple vulnerabilities have been discovered in the firmware and in libraries utilized of RAD-ISM-900-EN-BD devices:

In addition to the above listed CVEs the following issues were identified:

Vulnerabilities related to outdated libraries:

  • BusyBox version 0.60.1: A CVE scan revealed 13 potential vulnerabilities. Some of these vulnerabilities impact services used by this device such as NTP and DHCP.
  • OpenSSL version 0.9.7-beta3: This version of OpenSSL uses deprecated ciphers and a CVE scan revealed over 87 potential vulnerabilities.

Over-privileged web application:
The web application is operated with root privileges. Therefore, if an attacker were able to achieve RCE via the web application they would be executing with the highest level of privileges.


CVE-2022-29897: 9.1
CVE-2022-29898: 9.1

TRUMPF: TruTops Fab, TruTops Boost prone to vulnerability

A service function in the stated TRUMPF products is exposed without necessary authentication. Execution of this function may result in unauthorized access to, change of data or disruption of the whole service.


CVE-2022-1300: 9.8

Miele: Security vulnerability in Benchmark Programming Tool

The Miele Benchmark Programming Tool on a Microsoft Windows operating system, selects a folder by default upon installation that is writable for all users (C:\\MIELE_SERVICE). After the installation of the tool, users without administrative privileges are able to exchange or delete executable files in this path.


CVE-2022-22521: 7.3

Pepperl+Fuchs: Vulnerability in multiple VisuNet devices (UPDATE A)

Critical vulnerabilities have been discovered in the utilized component Remote Desktop Client by Microsoft.
For more information see: https://msrc.microsoft.com/update-guide/vulnerability/CVE- 2022-21990


CVE-2022-21990: 8.8

Feeds

Nach Hersteller

Archiv

2024
2023
2022
2021
2020
2019
2018
2017
2014

Legende

(Scoring für CVSS 2.0,3.0+3.1)
keine
Kein CVE verfügbar
Niedrig
0.1 <= 3.9
Mittel
4.0 <= 6.9
Hoch
7.0 <= 8.9
Kritisch
9.0 <= 10.0